Comment 0 for bug 2027635

I am unable to start a Windows 11 VM with libvirt/QEMU and see the following error message. This happens after I add firmware="efi" in the VM's XML configuration and attempt to start the VM. This is caused by AppArmor.

```
<os firmware="efi">
    <type arch="x86_64" machine="pc-q35-6.1">hvm</type>
    <boot dev="hd"/>
</os>
```

```
Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/domain.py", line 1329, in startup
    self._backend.create()
  File "/usr/local/lib/python3.8/dist-packages/libvirt.py", line 1353, in create
    raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: internal error: process exited while connecting to monitor: 2023-07-12T23:10:04.929455Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/win11_x64_1_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/lib/libvirt/qemu/nvram/win11_x64_1_VARS.fd': Permission denied
```

The solution was to add the following lines to the end of /etc/apparmor.d/abstractions/libvirt-qemu:

```
/var/lib/libvirt/qemu/nvram/* rwk,
/sys/kernel/mm/transparent_hugepage/enabled r,
/usr/share/OVMF/OVMF_CODE_4M.secboot.fd rk,
```

After adding those lines, reload apparmor and restart libvirtd service:

```
sudo systemctl reload apparmor.service
sudo systemctl restart libvirtd
```